Session Cookie does not set in IE11 only

Question

Curious problem.

Newly developed website, uses 3rd party login system which uses sessions (surprise!). Website works perfectly on all instances, on all browsers except Internet Explorer 11 (and possibly previous versions, unchecked).

Qualifiers:

• I have read various related topics on SO, nothing fits the bill.
• PHP Header does not to do a redirect on every affected page
• no _ in domain name or URL.
• No iframes.
• Session and domain are secured.

Code Details:

a) Each page has a controller file with header information included on it:

header("Cache-Control: no-cache, must-revalidate"); //HTTP 1.1
header("Expires: Thu, 19 Nov 2011 08:52:00 GMT"); // Date in the past
header('Content-Type: text/html; charset=utf-8');
header("X-Clacks-Overhead: GNU Terry Pratchett");
header_remove("X-Powered-By");
header("X-XSS-Protection: 1; mode=block");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Language: en");
header("Content-Security-Policy: upgrade-insecure-requests;");
header("Referrer-Policy: origin-when-cross-origin"); //referrer for Chrome
header("Referrer-Policy: strict-origin-when-cross-origin");

if (isset($_SERVER['HTTP_USER_AGENT']) &&
    (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false)){
    header('X-UA-Compatible: IE=edge,chrome=1');
}

b) As part of this process; a cookie check is carried out to know if the cookies are enabled on the client browser. This is done across both login/access controlled and public site areas.

if($_COOKIE['cookieEnabled'] !== "yes") {
    \setcookie('cookieEnabled', "yes", time() + 42000, "/", $_SERVER['HTTP_HOST'], true, true);
}

All it is , is a cookie that says "yes" , cookies are enabled if the cookie is not already set. Simple.

c) Below this; there is controller code to load the session variables and do other stuff for the 3rd party admin side of things.

// Create / Include the Session Object - Session.php
$session = new Session($db);

d) I have setup a testing statment within the Session.php __construct to do this:

    session_start();

    if($_COOKIE['cookieEnabled'] !== "yes" && empty($_SESSION)) {
        error_log("INFO: An access attempt without a session or cookie was attempted...");
        if($_COOKIE['cookieEnabled'] !== "yes"){
            error_log("Cookie does not appear to be enabled");
        }
        die("unimportant debug error");
    }

Note that the session array will never be empty as it's prepopulated on previous pages;

e) The [local] PHP.ini is thus:

session.cookie_secure=1
default.charset=utf-8
error_log=/home/domainaccount/error/PHP_error.log
session.save_path=/home/domainaccount/sessionz
session.cookie_domain=domain.org.uk

NOTE: The web path is: /home/domainaccount/public_html/

The PHP.ini values have been checked with phpinfo() and are set correctly.

Curious problem

I load the website in various browsers and it logs in just fine, all works, session data is carried.

However on IE11 it does not. It simply comes back with a blank screen, no errors, no feedback (aka session data passed back to login page), and no code-based error logs.

Error log shows:

INFO: An access attempt without a session or cookie was attempted...

A whole bunch of times but no indication that the cookie is denied, simply the session.

Unsurprisingly, the login page features a header location redirect for both success and failed login attempts.

About IE11

• IE version number: 11.248.16299.0.

• IE cookie settings: first party cookies accepted, third party cookies accepted, always allow session cookies.

Questions

1) Why does this occur ONLY for IE?

2) How can I solve this (change my headers, cookie setup, etc.?)

Answer 1

Some versions of IE silently drop cookies if the server time is in the past compared to the client time. Properly setting server/client time may help.

That's horrific -- servers will be far more accurate timekeepers than client browsers. Can you reference this at all?

I came across it once in a description from someone else on GitHub and it fixed my problem.

As a side note, since you explicitly called out no underscores in the domain, are you aware that leading numerals are also invalid URLs according to the RFC and IE also has problems with them?